Add exploit module for Clickjacking vulnerability in CSRF error page pfSense <= 2.4.1 #9234
+171
−0
Conversation
resp.body = %Q|<!DOCTYPE html> | ||
<html> | ||
<meta charset="utf-8"> | ||
<link rel="stylesheet" type="text/css" href="//cdnjs.cloudflare.com/ajax/libs/cookieconsent2/3.0.3/cookieconsent.min.css" /> |
jvoisin
Nov 27, 2017
Contributor
I don't think that we want to depend on external javascript :/
I don't think that we want to depend on external javascript :/
Included static content as suggested by @jvoisin |
Works as advertised:
|
wchen-r7
added a commit
that referenced
this pull request
Dec 12, 2017
Release NotesThis exploits a CSRF in pfSense that allows the attack to perform a click-jacking attack. |
I know this is already merged, but I am just curious, where in the module is the csrf click jacking page used (csrf-magic.php) as per the blog post? This looks like a csrf attack to diag_command.php, in which case, no clicky is required. |
Line 82 shows diag_command.php as the target |
huh, where? also, my point still stands. This is csrf isn't it? |
Yep, I see how its working now. My bad. |
I suppose targeting the file editor would also work, less trivial though |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
This module exploits a Clickjacking vulnerability in pfSense <= 2.4.1.
pfSense is a free and open source firewall and router. It was found that the pfSense WebGUI is vulnerable to Clickjacking. By tricking an authenticated admin into interacting with a specially crafted webpage it is possible for an attacker to execute arbitrary code in the WebGUI. Since the WebGUI runs as the root user, this will result in a full compromise of the pfSense instance.
Verification
The victim should be able to access the WebGUI & must be logged in as admin in order for this exploit to work. Possibly the WebGUI's TLS certificate must be trusted in the browser.
use exploit/unix/http/pfsense_clickjacking
set TARGETURI https://<ip WebGUI>
exploit